Sunday, January 11, 2015

Auditd - Tool for Security Auditing on Linux Server

http://linoxide.com/how-tos/auditd-tool-security-auditing

First of all , we wish all our readers Happy & Prosperous New YEAR 2015 from our Linoxide team. So lets start this new year explaining about Auditd tool.
Security
is one of the main factor that we need to consider. We must maintain it
because we don't want someone steal our data. Security includes many
things. Audit, is one of it.
On Linux system, we know that we have a tool named auditd.
This tool is by default exist in most of Linux operating system. What
is auditd tool and how to use it? We will cover it below.

What is auditd?

Auditd
or audit daemon, is a userspace component to the Linux Auditing System.
It’s responsible for writing audit records to the disk.

Installing auditd

On Ubuntu based system , we can use wajig tool or apt-get tool to install auditd.
Just
follow the instruction to get it done. Once it finish it will install
some tools related to auditd tool. Here are the tools :

auditctl ; is a tool to control the behaviour of the daemon on the fly, adding rules, etc

/etc/audit/audit.rules ; is the file that contains audit rules

aureport ; is tool to generate and view the audit report

ausearch ; is a tool to search various events

auditspd ; is a tool which can be used to relay event notifications to other applications instead of writing them to disk in the audit log

autrace ; is a command that can be used to trace a process

/etc/audit/auditd.conf ; is the configuration file of auditd tool

When the first time we install auditd, there will be no rules available yet.

We can check it using this command :

$ sudo auditctl -l

To add rules on auditd, let’s continue to the section below.

How to use it

Audit files and directories access

One
of the basic need for us to use an audit tool are, how can we know if
someone change a file(s) or directories? Using auditd tool, we can do
with those commands (please remember, we will need root privileges to configure auditd tool):Audit files

$ sudo auditctl -w /etc/passwd -p rwxa

With :

-w path ; this parameter will insert a watch for the file system object at path. On the example above, auditd will wacth /etc/passwd file

-p ; this parameter describes the permission access type that a file system watch will trigger on

rwxa ; are the attributes which bind to -p parameter above. r is read, w is write, x is execute and a is attribute

Audit directories

To audit directories, we will use a similar command. Let’s take a look at the command below :

$ sudo auditctl -w /production/

The above command will watch any access to the /production folder.
Now, if we run auditctl -l command again, we will see that new rules are added.
Now let’s see the audit log says.

Viewing the audit log

After rules are added, now we can see how auditd in action. To view audit log, we can use ausearch tool.
We already add rule to watch /etc/passwd file. Now we will try to use ausearch tool to view the audit log.

As we can see above, that on that particular time, /etc/passwd was accessed by user root (uid = 0 and gid = 0) from directory /root (cwd = /root). The /etc/passwd file was accessed using chfn command which located in /usr/bin/chfn
If we type man chfn on the console, we will see more detail about what is chfn.
Now we take a look at another example.
We already told auditd to watch directory /production/ . That is a new
directory. So when we try to use ausearch tool at the first time, it
found nothing.
Next,
root account try to list the /production directory using ls command.
The second time we use ausearch tool, it will show us some information.

Similar with the previous one, we can determine that /production folder was looked by root account (uid=0 gid=0) using ls command (comm = ls) and the ls command is located in /bin/ls folder.

Viewing the audit reports

Once
we put the audit rules, it will run automatically. And after a period
of time, we want to see how auditd can help us to track them.
Auditd comes with another tool called aureport. As we can guess from its name, aureport is a tool that produces summary reports of the audit system log.
We
already told auditd to track /etc/passwd before. And a moment after the
auditd parameter is developed, the audit.log file is created.
To
generate the report of audit, we can use aureport tool. Without any
parameters, aureport will generate a summary report of audit activity.

$ sudo aureport

As we can see, there are some information available which cover most important area. On the picture above we see there are 3 times failed authentication. Using aureport, we can drill down to that information.
We can use this command to look deeper on failed authentication :

$ sudo aureport -au

As we can see on the picture above, there are two users which at the particular time are failed to authenticated
If we want to see all events related to account modification, we can use -m parameter.

$ sudo aureport -m

Auditd configuration file

Previously we already added :

$ sudo auditctl -w /etc/passwd -p rwxa

$ sudo auditctl -w /production/

Now, if we sure the rules are OK, we can add it into

/etc/audit/audit.rules to make them permanently.Here’s how to put them into the /etc/audit/audit.rules fileThen don’t forget to restart auditd daemon.

# /etc/init.d/auditd restart

OR

# service auditd restart

Conclusion

Auditd
is one of the audit tool that available on Linux system. You can
explore more detail about auditd and its related tools by reading its
manual page. For example, just type man auditd to see more detail about auditd. Or type man ausearch to see more detail about ausearch tool.Please be careful before creating rules. It will increase your log file size significantly if too much information to record.